RAS question
What is the maximum penalty for inadequate data security under DPDP Rules?
Correct answer: (D) ₹250 crore.
Failure by a Data Fiduciary to maintain reasonable security safeguards under the DPDP framework can attract the highest penalty, up to ₹250 crore.
Explanation
The maximum penalty is ₹250 crore because inadequate data security corresponds to failure by a Data Fiduciary to maintain reasonable security safeguards. The PIB note on the DPDP Rules states that this is the highest penalty category. It also separates this from two other serious defaults: not notifying the Board or affected individuals about a personal data breach, and violations of obligations relating to children. Those defaults can each attract penalties of up to ₹200 crore, not ₹250 crore. The exam trap is therefore the difference between a security-safeguards failure and breach-notification or children’s-data violations. Among the options, only ₹250 crore matches the ceiling for inadequate data security.
Why the other options are wrong
- (A) ₹50 crore is too low because the PIB note places failure to maintain reasonable security safeguards in the highest penalty category of up to ₹250 crore.
- (B) ₹100 crore is not the penalty ceiling for inadequate data security under the PIB note on the DPDP Rules.
- (C) ₹200 crore is linked to breach-notification failures and violations of obligations relating to children, whereas inadequate security safeguards carry a higher ceiling of ₹250 crore.
Concept
This tests digital governance and data-protection enforcement under the DPDP Act and Rules. It recurs in RAS because privacy, citizen rights and regulatory penalties are central to contemporary governance questions.
